WP-Safety

CampaignPress Security & Risk Analysis

wordpress.org/plugins/campaignpress

Do you send a newsletter based on content from your website using your Mailchimp account? Ever want to select a bunch of posts and have them appear in …

0 active installs v1.4 PHP + WP 4.0+ Updated Mar 7, 2024
campaignmailchimpmailchimp-campaignmerge-tagssend-mailchimp
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is CampaignPress Safe to Use in 2026?

Generally Safe

Score 85/100

CampaignPress has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2yr ago
Risk Assessment

Campaignpress v1.4 exhibits a generally strong security posture, with no known historical vulnerabilities and a robust approach to handling sensitive operations. The static analysis reveals a significant number of REST API routes, all of which correctly implement permission callbacks, minimizing the risk of unauthorized access through this common entry point. The plugin also shows good practice in its SQL query handling, with a high percentage of prepared statements, and a commendable rate of output escaping. The absence of file operations, external HTTP requests, and dangerous functions further contributes to its secure design.

However, there are specific areas for improvement. The most notable concern is the complete absence of nonce checks across all identified entry points, including the 23 REST API routes. While permission checks are in place, nonce validation is a crucial defense against Cross-Site Request Forgery (CSRF) attacks. Furthermore, a single taint flow was identified with unsanitized paths. Although classified as non-critical, this warrants attention as it represents a potential pathway for malicious input to be processed without proper sanitization.

In conclusion, Campaignpress v1.4 is well-designed in many respects, particularly in its handling of database queries and output. The lack of historical vulnerabilities is a positive indicator of its maintainers' commitment to security. The primary weaknesses lie in the omission of nonce checks and the presence of a single unsanitized taint flow, which, while not leading to immediate critical vulnerabilities based on the provided data, represent potential risks that should be addressed to further enhance the plugin's overall security.

Key Concerns

  • Missing nonce checks on entry points
  • Flow with unsanitized paths
Vulnerabilities
None known

CampaignPress Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

CampaignPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
6 prepared
Unescaped Output
6
26 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

86% prepared7 total queries

Output Escaping

81% escaped32 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<core> (includes\core.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

CampaignPress Attack Surface

Entry Points23
Unprotected0

REST API Routes 23

GET/wp-json/campaignpress/v1/settingsincludes\core.php:1041
POST/wp-json/campaignpress/v1/settingsincludes\core.php:1042
GET/wp-json/campaignpress/v1/settings/logsincludes\core.php:1043
POST/wp-json/campaignpress/v1/campaigns/removeincludes\core.php:1044
POST/wp-json/campaignpress/v1/templates/removeincludes\core.php:1045
GET/wp-json/campaignpress/v1/audiencesincludes\core.php:1046
POST/wp-json/campaignpress/v1/audiences/resetincludes\core.php:1047
POST/wp-json/campaignpress/v1/audiences/webhook_registrationincludes\core.php:1048
GET/wp-json/campaignpress/v1/audiences/(?P<audience_id>[a-zA-Z0-9-]+)includes\core.php:1049
POST/wp-json/campaignpress/v1/audiences/(?P<audience_id>[a-zA-Z0-9-]+)includes\core.php:1050
GET/wp-json/campaignpress/v1/audiences/(?P<audience_id>[a-zA-Z0-9-]+)/sectionsincludes\core.php:1051
POST/wp-json/campaignpress/v1/audiences/(?P<audience_id>[a-zA-Z0-9-]+)/previewincludes\core.php:1052
POST/wp-json/campaignpress/v1/audiences/(?P<audience_id>[a-zA-Z0-9-]+)/templateincludes\core.php:1053
GET/wp-json/campaignpress/v1/contentincludes\core.php:1054
GET/wp-json/campaignpress/v1/content/(?P<post_id>[0-9-]+)includes\core.php:1055
GET/wp-json/campaignpress/v1/metaboxincludes\core.php:1056
POST/wp-json/campaignpress/v1/metaboxincludes\core.php:1057
DELETE/wp-json/campaignpress/v1/metaboxincludes\core.php:1058
POST/wp-json/campaignpress/v1/resetincludes\core.php:1059
POST/wp-json/campaignpress/v1/toast/hideincludes\core.php:1060
POST/wp-json/campaignpress/v1/validate-mailchimp-api-keyincludes\core.php:1062
POST/wp-json/campaignpress/v1/remove-mailchimp-api-keyincludes\core.php:1063
GET/wp-json/campaignpress/v1/categoriesincludes\core.php:1065
WordPress Hooks 15
actioninitincludes\core.php:38
actionadd_meta_boxesincludes\core.php:41
actionrest_api_initincludes\core.php:44
actionadmin_menuincludes\core.php:47
actionadmin_noticesincludes\core.php:50
actionparse_requestincludes\core.php:53
filterquery_varsincludes\core.php:54
filterscript_loader_tagincludes\core.php:57
actionadmin_enqueue_scriptsincludes\core.php:60
filtermanage_posts_columnsincludes\core.php:62
actionmanage_posts_custom_columnincludes\core.php:63
filterheartbeat_receivedincludes\core.php:65
filterheartbeat_sendincludes\core.php:66
actionafter_theme_setupincludes\core.php:79
actionadmin_enqueue_scriptsincludes\core.php:80
Maintenance & Trust

CampaignPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8
Last updatedMar 7, 2024
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

CampaignPress Alternatives

Featured Images in RSS for Mailchimp & More

Featured Images in RSS for Mailchimp & More

featured-images-for-rss-feeds

A
100

Send images to RSS instantly for free. Output blog or WooCommerce photos to Mailchimp RSS email campaigns, ActiveCampaign, Hubspot, Feedly and more.

20K No CVEs
Newspack Newsletters

Newspack Newsletters

newspack-newsletters

A
97

Create email newsletters with the block editor and distribute them with your favorite ESP mailing lists.

1K 3 CVEs
Subscriber Discounts for WooCommerce

Subscriber Discounts for WooCommerce

subscriber-discounts-for-woocommerce

A
85

Easily send mailing list subscribers a discount code for joining your list.

300 No CVEs
Campaign Archive Block for Mailchimp

Campaign Archive Block for Mailchimp

campaign-archive-block-for-mailchimp

A
100

Adds a block to show an archive for Mailchimp campaigns.

100 No CVEs
ChimpBridge – Create and Send Mailchimp Campaigns in WordPress

ChimpBridge – Create and Send Mailchimp Campaigns in WordPress

chimpbridge

A
100

Create and send Mailchimp Campaigns right inside of the WordPress admin.

40 No CVEs
Developer Profile

CampaignPress Developer Profile

Nick Tomkin

3 plugins · 700 total installs

70
trust score
Avg Security Score
87/100
Avg Patch Time
265 days
View full developer profile
Detection Fingerprints

How We Detect CampaignPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/campaignpress/../../dist/css/tailwind.css/wp-content/plugins/campaignpress/../../js/dist/app.css/wp-content/plugins/campaignpress/../../js/dist/app.js
Script Paths
/wp-content/plugins/campaignpress/../../js/dist/app.js
Version Parameters
/../../dist/css/tailwind.css?ver=/../../js/dist/app.css?ver=/../../js/dist/app.js?ver=

HTML / DOM Fingerprints

CSS Classes
campaignpress-ui-container
HTML Comments
--- Action: pluginInit ------ Action: addMenuItem ------ Action: pageHtml ------ Action: adminPluginAssets ---+1 more
Data Attributes
data-pagedata-noncedata-show-debug
JS Globals
orchestrated_campaignpress_app
REST Endpoints
/wp-json/orchestrated_campaignpress/v1/
FAQ

Frequently Asked Questions about CampaignPress